corveda / phpsandbox Goto Github PK

Hello,

I am using PHPSandbox and have a specific requirement regarding function and method calls within the sandbox. Specifically, I would like to allow certain methods of a class to execute, even if they internally use functions that I want to restrict from being called directly by the user.

For example, I want to permit the method Biz::find() to be called, which internally uses various mysqli_* functions. However, I do not want to allow any direct calls to mysqli_* functions within the sandbox. Essentially, Biz::find() should be allowed, but any direct invocation of mysqli_connect(), mysqli_query(), etc., should be disallowed.

Here are some micro code examples to illustrate the requirement:

Desired Behavior:

class Biz {
    public static function find() {
        // Internally uses mysqli_* functions
        $mysqli = mysqli_connect("localhost", "user", "password", "database");
        // Other mysqli_* operations...
    }
}

// Allowed
Biz::find();

Undesired Behavior:

// Disallowed
$mysqli = mysqli_connect("localhost", "user", "password", "database");

PHPSandbox Configuration:

How can I configure PHPSandbox to allow Biz::find() but disallow direct calls to mysqli_* functions? I am looking for a way to specify this within the sandbox environment.

Thank you for your help.

Hello,

is there any way to get, at the end of the execution, all the functions that have been executed? Something similar to saving in an array all the $name that pass through the checkFunc method of PHPSandbox.php.

Thanks!

PHPSandbox throws an error if there's a check for a superglobal variable.

The code:

<?php
isset($_SERVER);
?>

The error message:

Fatal error: Cannot use isset() on the result of an expression (you can use "null !== expression" instead) in /.../vendor/corveda/php-sandbox/src/PHPSandbox.php(6885) : eval()'d code on line 8

The following code will fail:

$sandbox = new PHPSandbox\PHPSandbox;
$sandbox->defineVar('test', "\\'");
$sandbox->execute("echo $test;")

The problem is caused by line 6487 in src/PHPSandbox.php:

$output[] = '$' . $name . " = '" . addcslashes($value, "'") . "'";

The string \' will be escaped to \\', so the \ will be considered as escaped by PHP but not the '.

Replacing the line by

$output[] = '$' . $name . " = '" . addcslashes($value, "'\\") . "'";

would solve the problem

https://github.com/Corveda/PHPSandbox/blob/main/src/PHPSandbox.php#L2670

If you attempt to pass a non-static method callable in, for instance: [$instance, 'methodName'] it passes the callable typehint, then gets nuked by whatever that condition block is all about, and then throws an exception about being uncallable. Why?

And attempting to pass a nested array does not pass the callable typehint. I can workaround this by passing a closure to perform the same work, but this is still an issue.

In theory this would also break static class method calls in array syntax as well, possibly leading to bizarre or even dangerous behavior if the class name is still callable or invokable.

If instance methods are unsupported or otherwise should not be used, they should be checked for properly. Please do not mangle my callable.

Running this code $TwoWeeksAgo = new DateTime(date("Ymd"));

on the demno here https://code.phpsandbox.org/ results in this error message:

Sandboxed code attempted to call invalid type: DateTime

Is there a way to make this work?

Code:

function foo(int ...$a) {
	return $a;
}

$ints = [1,2];
foo(...$ints);

Result:
Compile Error: Cannot use positional argument after argument unpacking

Generated code causing the error:

return foo(\PHPSandbox\wrapByRef(...$ints, \PHPSandbox\PHPSandbox::getSandbox('__PHPSandbox_ff7c8ab064063e1d4d509dfbadda498e')));

What happens if you attempt to do so? What if you want to enable such functionality. what do you do?

I plan to use this library to run user's input code in isolated environment with most functions blacklisted by default. (On some relatively safe string and array manipulation). I wonder if there is any security that I should consider? I can imagine that all the SERVER, SESSION variables should be blacklisted or overriden as well?

Please consider adding return types to SandboxedString methods (offsetSet and offsetUnset) to eliminate errors such as (in PHP >= 8.1):

Return type of PHPSandbox\SandboxedString::offsetSet($offset, $value) should either be compatible with ArrayAccess::offsetSet(mixed $offset, mixed $value): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice

Please I don't know why this not working

<?php

require_once 'vendor/autoload.php';

use PHPSandbox\PHPSandbox;

function test($string){
    return 'Hello ' . $string;
}

class Server {
    public function sendMessage($message) {
        echo "Sending message: " . $message;
    }
}
$Server = new Server();

$sandbox = new PHPSandbox();
$sandbox->whitelistClass("Server");
$sandbox->whitelistVar("Server");
$sandbox->defineVars(['Server']);

$result = $sandbox->execute('<?php 
echo $Server->sendMessage("ping google.com");
?>');

var_dump($result);

Fatal error: Uncaught PHPSandbox\Error: Cannot define unnamed variable! in /data/data/com.termux/files/home/php/bota/vendor/corveda/php-sandbox/src/PHPSandbox.php:7195
Stack trace:
#0 /data/data/com.termux/files/home/php/bota/vendor/corveda/php-sandbox/src/PHPSandbox.php(2774): PHPSandbox\PHPSandbox->validationError('Cannot define u...', 203, NULL, '')
#1 /data/data/com.termux/files/home/php/bota/vendor/corveda/php-sandbox/src/PHPSandbox.php(2792): PHPSandbox\PHPSandbox->defineVar(0, 'Server')
#2 /data/data/com.termux/files/home/php/bota/test.php(21): PHPSandbox\PHPSandbox->defineVars(Array)
#3 {main}
thrown in /data/data/com.termux/files/home/php/bota/vendor/corveda/php-sandbox/src/PHPSandbox.php on line 7195

For example :

$sandbox = new PHPSandbox;
function test ($values)
{
return $values;
}
$sandbox->whitelistFunc(['test','dd']);
$sandbox->allow_casting = true;

$result = $sandbox->execute(function(){
return test(['required','date', 'copy']);
});

print_r(
$result ,
);

Hi, is it possible to Declare Global vars inside the Sandbox, and make them available only there...?
I need this because i want to execute a lot of functions using same global vars => but i need to execute them in multithreading environment, so don't need them to access same var with same memory stack (same pointer), need to separate them without changing the Arhitecture and classes...

Fatal error: Cannot use positional argument after named argument in /data/data/com.termux/files/home/php/bota/vendor/corveda/php-sandbox/src/PHPSandbox.php(6990) : eval()'d code on line 28

Why after sandbox throw error "Sandboxed code attempted to call invalid function: file_put_contents" it will still go ahead and run the code, Why?

I was able to get my idea working with plain eval. See the code below:

function staticEval($_code)
{
    static $_vars = [];
    extract($_vars);
    $_result = eval($_code);
    $_vars = get_defined_vars();
    unset($_vars['_vars']);
    unset($_vars['_code']);
    unset($_vars['_result']);
    return $_result;
}

staticEval('$a = "hello world!";');
staticEval('echo "$a\n";');

I have many customers and each one need a customizate reports. It's inviable create one code report to each one.

I think to create a report crud with a text editor box, in this box I will write the php code to run in phpSandbox (with restric environment obviosly) to agroup the mysql results (sql query would run out of sandbox and inject the result in phpSandbox) and build the report as my costumer wish.

Conclusion: I would use the phpSandbox(with restric environment) only to handle the pdf/excel generator to build the report.

Could I do that? Could have any security problem?

Code to run in sandbox:

$registers = sort($mysqlResultsInjected);

$excel = new Excel();

foreach($registers as $register) {
   $excel->row([$register->id, $register->name]);
}

$excel->output();

I came across this online PHP sandbox app similar to this project (closed source and not available except as an online service) http://sandbox.onlinephpfunctions.com/

I noticed it allows to run the PHP code on up to 62-63 different PHP versions!

I am curious, would it be difficult to allow a project like this to work across multiple PHP versions? I realize it would likely require the hosting server to have all the available PHP versions installed but was just curious if it might be easy to add support for this project to work across multiple versions when available?

I need to log every arguments before eval statement is executed. I know eval is a language construct, but still cant find a way to rewrite it.

The attempts gives me error message as below:
eval()'d code(3) : eval()'d code on line 1

So the question is, is it possible to rewrite a keyword or could I place a filter before eval is executed.

Hi! Latest release v2.0.1 released this on 20 May 2016

Now there are 11 commits not included in any of the releases.

Hi.
First of all thanks for the outstanding job. Really useful.
Now the problem. In the PHP code I need to vaildate/sandbox in my project I use extensively the constant PHP_EOL. If I write code using this constant, "as is", i. e. without defining it in advance by means of $sandbox->define_consts(), the validator rises an exception complaining about the fact that the PHP_EOL isn't defined.
On the other hand, if I do define the const, upon execution of the sandboxed code (via $sanbox->execute("<code>")) the PHP engine issues a notice: "Notice: const PHP_EOL already defined".
This should not be a big issue per se if i wouldn't use the SandBox in an Ajax context.
Any, so to say, "uncontrolled" output from the PHP engine is deemed to break the response mechanism I set up for my ajax call. This forces me to suppress warning/notice output by means of the @ sign to prevent undesired output from breaking my response to the ajax call.
This is clearly a patch. Suppressing the PHP engine output will surely hide any "wanted" notification about the state of execution of the sandboxed code, making thus the use of the Sandbox almost useless.
Is there a way to circumvent this problem? Am I missing some important concept in the usage of this tool?

Thanks again

It says in the introduction that:

Can redefine internal PHP and other functions to make them more secure for sandbox usage.

So I have tried using defineFunc like below:

         $newSandbox=$this->sandbox->defineFunc("phpinfo", function(){
             echo "hellow phpinfo";
         });
         $newSandbox->whitelistFunc('phpinfo');
         #printHello('1\n');
         $newSandbox->execute(function(){
             phpinfo();
         });

But it seems doesn't work fine with eval statement. Furthermore, Could I have any method to inherit internal function other than totally rewrite it.

Best regrads.

Hello,

Is there anything preventing you from using the latest version of nikic/php-parser (v.4)?
We have other dependencies in our projects which require the newer version (at least version 3) and we are having troubles with that.

I'm using php 8

[25-May-2023 14:13:07 UTC] PHP Fatal error: Uncaught ValueError: trigger_error(): Argument #2 ($error_level) must be one of E_USER_ERROR, E_USER_WARNING, E_USER_NOTICE, or E_USER_DEPRECATED in /home/test/vendor/corveda/php-sandbox/src/PHPSandbox.php:7233
Stack trace:
#0 /home/test/vendor/corveda/php-sandbox/src/PHPSandbox.php(7233): trigger_error('Fatal error: Ca...', 1)
#1 /home/test/test.php(21): PHPSandbox\PHPSandbox->__call('setPrepend', Array)
#2 {main}
thrown in /home/test/vendor/corveda/php-sandbox/src/PHPSandbox.php on line 7233
[25-May-2023 14:13:07 UTC] PHP Fatal error: Uncaught ValueError: trigger_error(): Argument #2 ($error_level) must be one of E_USER_ERROR, E_USER_WARNING, E_USER_NOTICE, or E_USER_DEPRECATED in /home/test/vendor/corveda/php-sandbox/src/PHPSandbox.php:7233
Stack trace:
#0 /home/test/vendor/corveda/php-sandbox/src/PHPSandbox.php(7233): trigger_error('Fatal error: Ca...', 1)
#1 /home/test/test.php(21): PHPSandbox\PHPSandbox->__call('setPrepend', Array)
#2 {main}
thrown in /home/test/vendor/corveda/php-sandbox/src/PHPSandbox.php on line 7233
[25-May-2023 14:13:09 UTC] PHP Fatal error: Uncaught ValueError: trigger_error(): Argument #2 ($error_level) must be one of E_USER_ERROR, E_USER_WARNING, E_USER_NOTICE, or E_USER_DEPRECATED in /home/test/vendor/corveda/php-sandbox/src/PHPSandbox.php:7233
Stack trace:
#0 /home/test/vendor/corveda/php-sandbox/src/PHPSandbox.php(7233): trigger_error('Fatal error: Ca...', 1)
#1 /home/test/test.php(21): PHPSandbox\PHPSandbox->__call('setPrepend', Array)
#2 {main}
thrown in /home/test/vendor/corveda/php-sandbox/src/PHPSandbox.php on line 7233
[25-May-2023 14:13:13 UTC] PHP Fatal error: Uncaught ValueError: trigger_error(): Argument #2 ($error_level) must be one of E_USER_ERROR, E_USER_WARNING, E_USER_NOTICE, or E_USER_DEPRECATED in /home/test/vendor/corveda/php-sandbox/src/PHPSandbox.php:7233
Stack trace:
#0 /home/test/vendor/corveda/php-sandbox/src/PHPSandbox.php(7233): trigger_error('Fatal error: Ca...', 1)
#1 /home/test/test.php(21): PHPSandbox\PHPSandbox->__call('setPrepend', Array)
#2 {main}
thrown in /home/test/vendor/corveda/php-sandbox/src/PHPSandbox.php on line 7233

When a variable is passed to a function, the sandbox wraps it with a "wrap" function. If the variable is a string with a callable value like "time", the "wrap" function returns a SandboxedString object. The target function receives the SandboxedString object instead of the string. Understand that the SandboxedString object was trying to prevent unsafe code to run by a callable variable. However, it has following issues.

1. The gettype function in the target function returns "object" instead of "string". The var_dump and var_export functions are okay.
2. Strict comparison of input values in the target function fail because they are objects instead of strings.
3. I don't know if this could have any security concern because the SandboxedString passed into custom function contains a lot of information.

Following code replicates the issue. The gettype in obj_b->getValue returns "object". The strict comparison in obj_a->test returns "false" even the same strings are submitted to the function.

echo '001';
echo '<br>';

$execode = '';
$appcode = '';

$execode = 'class obj_a {' .
			'	function test($x, $y, $cusfun) {' .
			'		$a = $cusfun[\'b\']->getValue($x);' .
			'		$b = $cusfun[\'b\']->getValue($y);' .
			'		return ($a === $b);' .
			'	}' .
			'}' .
			'class obj_b {' .
			'	function getValue($x) {' .
			'		echo gettype($x) . \'<br>\';' .
			'		return $x;' .
			'	}' .
			'}' .
			'$cusfun[\'a\'] = new obj_a();' .
			'$cusfun[\'b\'] = new obj_b();';
			
$appcode = 'return $cusfun;';

echo '002';
echo '<br>';

$sandboxcusfun = new PHPSandbox\PHPSandbox;

$sandboxcusfun->setOptions(['allow_classes'=>1]);
$sandboxcusfun->defineVar('cusfun',null);

$cusfun = $sandboxcusfun->execute($execode . $appcode);

echo '003';
echo '<br>';
var_dump($cusfun);
echo '<br>';

$r = 'nothing';
if ($cusfun['a'] && method_exists($cusfun['a'], 'test')) {
	$r = $cusfun['a']->test('ob_clean','ob_clean',$cusfun);
}

echo '005';
echo '<br>';

var_dump($r);
echo '<br>';

echo '006';
echo '<br>';

Deprecated: Return type of FunctionParser\Tokenizer::seek($index) should either be compatible with SeekableIterator::seek(int $offset): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /data/data/com.termux/files/home/php/bota/vendor/jeremeamia/functionparser/src/Tokenizer.php on line 302

Deprecated: Return type of FunctionParser\Tokenizer::current() should either be compatible with Iterator::current(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /data/data/com.termux/files/home/php/bota/vendor/jeremeamia/functionparser/src/Tokenizer.php on line 248

Deprecated: Return type of FunctionParser\Tokenizer::next() should either be compatible with Iterator::next(): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /data/data/com.termux/files/home/php/bota/vendor/jeremeamia/functionparser/src/Tokenizer.php on line 256

Deprecated: Return type of FunctionParser\Tokenizer::key() should either be compatible with Iterator::key(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /data/data/com.termux/files/home/php/bota/vendor/jeremeamia/functionparser/src/Tokenizer.php on line 274

Deprecated: Return type of FunctionParser\Tokenizer::valid() should either be compatible with Iterator::valid(): bool, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /data/data/com.termux/files/home/php/bota/vendor/jeremeamia/functionparser/src/Tokenizer.php on line 284

Deprecated: Return type of FunctionParser\Tokenizer::rewind() should either be compatible with Iterator::rewind(): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /data/data/com.termux/files/home/php/bota/vendor/jeremeamia/functionparser/src/Tokenizer.php on line 292

Deprecated: Return type of FunctionParser\Tokenizer::count() should either be compatible with Countable::count(): int, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /data/data/com.termux/files/home/php/bota/vendor/jeremeamia/functionparser/src/Tokenizer.php on line 378

Deprecated: Return type of FunctionParser\Tokenizer::offsetExists($offset) should either be compatible with ArrayAccess::offsetExists(mixed $offset): bool, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /data/data/com.termux/files/home/php/bota/vendor/jeremeamia/functionparser/src/Tokenizer.php on line 313

Deprecated: Return type of FunctionParser\Tokenizer::offsetGet($offset) should either be compatible with ArrayAccess::offsetGet(mixed $offset): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /data/data/com.termux/files/home/php/bota/vendor/jeremeamia/functionparser/src/Tokenizer.php on line 324

Deprecated: Return type of FunctionParser\Tokenizer::offsetSet($offset, $value) should either be compatible with ArrayAccess::offsetSet(mixed $offset, mixed $value): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /data/data/com.termux/files/home/php/bota/vendor/jeremeamia/functionparser/src/Tokenizer.php on line 336

Deprecated: Return type of FunctionParser\Tokenizer::offsetUnset($offset) should either be compatible with ArrayAccess::offsetUnset(mixed $offset): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /data/data/com.termux/files/home/php/bota/vendor/jeremeamia/functionparser/src/Tokenizer.php on line 356

Deprecated: FunctionParser\Tokenizer implements the Serializable interface, which is deprecated. Implement __serialize() and __unserialize() instead (or in addition, if support for old PHP versions is necessary) in /data/data/com.termux/files/home/php/bota/vendor/jeremeamia/functionparser/src/Tokenizer.php on line 15

Deprecated: FunctionParser\Token implements the Serializable interface, which is deprecated. Implement __serialize() and __unserialize() instead (or in addition, if support for old PHP versions is necessary) in /data/data/com.termux/files/home/php/bota/vendor/jeremeamia/functionparser/src/Token.php on line 21
string(11) "Hello world"